Of course, many employees are simply unaware of the ways in which they expose their workplaces to potential breaches, which is why education is key.

Here are just some of the ways in which employees can inadvertently expose your organisation to cybersecurity threats, and how you can mitigate those risks.

Risk: Employees using insecure bring-your-own-device (BYOD) devices when working in public spaces

More workplaces are opting for BYOD policy, as it reduces overhead costs, gives employees more flexibility and improves productivity. But more devices means more endpoints that are potentially vulnerable to breaches, particularly if employees aren’t diligent about security measures.

BYOD devices are particularly vulnerable when employees are out and about. Most people wouldn’t think twice about sending off a quick email while they’re sitting in a café or at the airport, or leaving their device unattended for a minute or two at a hotel, or even letting their teenage son use their laptop or smartphone for an hour, all of which can expose the device to being infiltrated by malicious users.

Remedies

Develop stringent and enforceable BYOD policies that dictate what security measures BYOD devices are required to have, as well as behaviours employees are required to follow. This might include things like:

Ensuring devices are set to lock automatically when not in use

Limiting connectivity to the network

Ensuring antivirus and anti-malware software is up-to-date and running

Enforcing software updates and patches

Practising physical security measures off-site or in open plan areas

Implement mobile device management (MDM) software, which can configure devices to use a PIN number to lock the device; locate, lock and wipe lost devices; and keep personal and corporate data separate in the event the device does have to be wiped.

Risk: Employees using public wifis to access corporate information

Employees might think it’s perfectly fine to use a free public wifi to send an email or download an attachment. Public wifis, however, can make devices highly vulnerable as they are usually unencrypted, and therefore allow malicious users to intercept any data that is transferred over the link. Hackers can even go so far as to create hotspots with legitimate-sounding names (“Starbucks Free Wifi”, for example) with their devices, so that when people unwittingly connect to their hotspot, they can then spy on their activity.

Remedies

Educate employees about the risks of using free public wifi.

Ask that employees always use a VPN when doing anything work-related on public wifi.

If employees don’t have a VPN, ensure they only access secure websites (make sure links start with “https” rather than “http”, and look for lock icon next to links), or that they access the internet via their phone network instead.

Risk: Employees ‘stashing’ sensitive data on their own devices and cloud services

Workplaces are evolving to become more flexible, but legacy systems, which are usually designed to keep content within an organisation, are sometimes unable to keep up. As a result, employees have to find other, less secure, ways to access the information they need while they’re at home or travelling, and this can include stashing information on personal hard drives, USBs or personal cloud services, which can be unsecured and vulnerable to being intercepted or lost.

Remedies

Teach employees how to encrypt hard drives and USBs before they put any work-related information on them.

Store information in a central location, and provide users with a user-friendly mechanism for secure remote access (such as a mobile app that requires a login and uses an encrypted connection to communicate with corporate servers).

Attackers are starting to opt for smaller, more targeted campaigns to infiltrate networks, using information about employees, gleaned from research into social media and other activities, to make emails even more convincing.

Remedies

Educate employees about how to recognise suspicious emails.

Educate employees about social media use, and how information they post on social media can make them and their workplace vulnerable. In short, employees shouldn’t be posting anything they wouldn’t want displayed on a public banner.

Test employees’ ability to recognise suspicious emails, by using software like Phishme, which sends out fake phishing emails to employees on a regular basis, allowing you to target those employees that might be particularly susceptible.

General cybersecurity best practices

Have a strong and enforceable password policy: According to the Verizon Data Breach Investigations Report for 2016, 63% of small business hackers take advantage of weak passwords, so having a password policy, and ensuring it is enforced, is essential. Your policy may include ensuring passwords have at least 8 characters with upper and lower-case letters, numbers, and special characters; and have different passwords for different accounts. A password management application can help ensure employees comply.

Employ role-based access control: Employee access should be restricted to the systems required to their jobs. For example, there’s no reason someone in Sales should be able to access HR documents, nor should someone in HR be able to access Sales data. Restricting access in this way significantly reduces an organisation’s vulnerability in the event that an employee’s credentials are stolen, and also helps to prevent malicious activity conducted by employees themselves.

Perform regular backups: Employees should also be educated about the importance of regular backups, so that data can easily be restored if need be.

The reality is that no organisation, no matter how small or big, is safe from cybersecurity threats. With stringent policies, regular training and good use of technology to help with compliance, organisations can help to keep their data safe from malicious attacks.